
<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
        <meta name="description" content="An examination and detection of the BPFDoor malware.">
      
      
      
        <link rel="canonical" href="https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/">
      
      
        
      
      <link rel="icon" href="../../../../../assets/img/favicon.ico">
      <meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.2.4+insiders-4.10.1">
    
    
      
        <title>A peek behind the BPFDoor - Elastic Security Research</title>
      
    
    
      <link rel="stylesheet" href="../../../../../assets/stylesheets/main.589a02ac.min.css">
      
        
        <link rel="stylesheet" href="../../../../../assets/stylesheets/palette.e6a45f82.min.css">
        
      
      
    
    
    
      
        
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Inter:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
        <style>:root{--md-text-font:"Inter";--md-code-font:"Roboto Mono"}</style>
      
    
    
      <link rel="stylesheet" href="../../../../../assets/css/extra.css">
    
    <script>__md_scope=new URL("../../../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
    
      
  


  
  


  <script id="__analytics">function __md_analytics(){function n(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],n("js",new Date),n("config","G-PP6W2PS48B"),document.addEventListener("DOMContentLoaded",function(){if(document.forms.search&&document.forms.search.query.addEventListener("blur",function(){this.value&&n("event","search",{search_term:this.value})}),document.forms.feedback){var e,a=document.forms.feedback;for(e of a.querySelectorAll("[type=submit]"))e.addEventListener("click",function(e){e.preventDefault();var t=document.location.pathname,e=this.getAttribute("data-md-value");n("event","feedback",{page:t,data:e}),a.firstElementChild.disabled=!0;e=a.querySelector(".md-feedback__note [data-md-value='"+e+"']");e&&(e.hidden=!1)}),a.hidden=!1}"undefined"!=typeof location$&&location$.subscribe(function(e){n("config","G-PP6W2PS48B",{page_path:e.pathname})})});var e=document.createElement("script");e.async=!0,e.src="https://www.googletagmanager.com/gtag/js?id=G-PP6W2PS48B",document.getElementById("__analytics").insertAdjacentElement("afterEnd",e)}</script>

  
    <script>var consent;"undefined"==typeof __md_analytics||(consent=__md_get("__consent"))&&consent.analytics&&__md_analytics()</script>
  

    
    
      
        <meta  property="og:type"  content="website" >
      
        <meta  property="og:title"  content="A peek behind the BPFDoor - Elastic Security Research" >
      
        <meta  property="og:description"  content="An examination and detection of the BPFDoor malware." >
      
        <meta  property="og:image"  content="https://elastic.github.io/security-research/assets/images/social/intelligence/2022/05/04.bpfdoor/article.png" >
      
        <meta  property="og:image:type"  content="image/png" >
      
        <meta  property="og:image:width"  content="1200" >
      
        <meta  property="og:image:height"  content="630" >
      
        <meta  property="og:url"  content="https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/" >
      
        <meta  name="twitter:card"  content="summary_large_image" >
      
        <meta  name="twitter:title"  content="A peek behind the BPFDoor - Elastic Security Research" >
      
        <meta  name="twitter:description"  content="An examination and detection of the BPFDoor malware." >
      
        <meta  name="twitter:image"  content="https://elastic.github.io/security-research/assets/images/social/intelligence/2022/05/04.bpfdoor/article.png" >
      
    
    


  </head>
  
  
    
    
    
    
    
    <body dir="ltr" data-md-color-scheme="elastic" data-md-color-primary="" data-md-color-accent="">
  
    
    
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
      
    
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#preamble" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
    
      

<header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href="../../../../.." title="Elastic Security Research" class="md-header__button md-logo" aria-label="Elastic Security Research" data-md-component="logo">
      
  <img src="../../../../../assets/img/logo.svg" alt="logo">

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            Elastic Security Research
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              A peek behind the BPFDoor
            
          </span>
        </div>
      </div>
    </div>
    
    
    
      <label class="md-header__button md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
      </label>
      <div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
      <label class="md-search__icon md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
      </label>
      <nav class="md-search__options" aria-label="Search">
        
        <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
        </button>
      </nav>
      
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
    
    
    
  </nav>
  
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
          
            
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
  <div class="md-tabs__inner md-grid">
    <ul class="md-tabs__list">
      
        


  
    
    
  
  
    <li class="md-tabs__item">
      <a href="../../../../.." class="md-tabs__link">
        
  
  Elastic Security Research

      </a>
    </li>
  

      
        


  
    
    
      
    
  
  
    
    
    
      <li class="md-tabs__item">
        <a href="../../../../" class="md-tabs__link md-tabs__link--active">
          
  
    
  
  Intelligence Analysis

        </a>
      </li>
    
  

      
        


  
    
    
  
  
    
    
    
      <li class="md-tabs__item">
        <a href="../../../../../malware/" class="md-tabs__link">
          
  
    
  
  Malware Analysis

        </a>
      </li>
    
  

      
        


  
    
    
  
  
    
    
    
      <li class="md-tabs__item">
        <a href="../../../../../whitepapers/" class="md-tabs__link">
          
  
    
  
  Whitepapers

        </a>
      </li>
    
  

      
        


  
    
    
  
  
    
    
    
      <li class="md-tabs__item">
        <a href="../../../../../tools/" class="md-tabs__link">
          
  
    
  
  Tools

        </a>
      </li>
    
  

      
        


  
    
    
  
  
    <li class="md-tabs__item">
      <a href="../../../../../tags/" class="md-tabs__link">
        
  
  Tag Index

      </a>
    </li>
  

      
    </ul>
  </div>
</nav>
          
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    

  


<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href="../../../../.." title="Elastic Security Research" class="md-nav__button md-logo" aria-label="Elastic Security Research" data-md-component="logo">
      
  <img src="../../../../../assets/img/logo.svg" alt="logo">

    </a>
    Elastic Security Research
  </label>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
      


  
  
  
    <li class="md-nav__item">
      <a href="../../../../.." class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Elastic Security Research
  </span>

      </a>
    </li>
  

    
      
      
      


  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
      
      
      
      
        <label class="md-nav__link" for="__nav_2">
          
  
  <span class="md-ellipsis">
    Intelligence Analysis
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="Intelligence Analysis" data-md-level="1">
        <label class="md-nav__title" for="__nav_2">
          <span class="md-nav__icon md-icon"></span>
          Intelligence Analysis
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Elastic Intelligence Analysis
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2" type="checkbox" id="__nav_2_2" checked>
      
      
      
      
        <label class="md-nav__link" for="__nav_2_2">
          
  
  <span class="md-ellipsis">
    2022
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="2022" data-md-level="2">
        <label class="md-nav__title" for="__nav_2_2">
          <span class="md-nav__icon md-icon"></span>
          2022
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2_1" type="checkbox" id="__nav_2_2_1" >
      
      
      
      
        <label class="md-nav__link" for="__nav_2_2_1">
          
  
  <span class="md-ellipsis">
    January
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="January" data-md-level="3">
        <label class="md-nav__title" for="__nav_2_2_1">
          <span class="md-nav__icon md-icon"></span>
          January
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../01/01.formbook-adopts-cabless-approach/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    FORMBOOK Adopts CAB-less Approach
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../01/02.collecting-cobalt-strike-beacons/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Collecting Cobalt Strike Beacons with the Elastic Stack
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../01/03.extracting-cobalt-strike-beacon/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Extracting Cobalt Strike Beacon Configurations
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2_2" type="checkbox" id="__nav_2_2_2" >
      
      
      
      
        <label class="md-nav__link" for="__nav_2_2_2">
          
  
  <span class="md-ellipsis">
    March
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="March" data-md-level="3">
        <label class="md-nav__title" for="__nav_2_2_2">
          <span class="md-nav__icon md-icon"></span>
          March
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../03/01.hermeticwiper-targets-ukraine/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../03/02.phoreal-targets-southeast-asia-financial-sector/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    PHOREAL Malware Targets the Southeast Asian Financial Sector
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../03/03.dirty-pipe/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Detecting and responding to Dirty Pipe with Elastic
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
            
              
  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_2_3" type="checkbox" id="__nav_2_2_3" checked>
      
      
      
      
        <label class="md-nav__link" for="__nav_2_2_3">
          
  
  <span class="md-ellipsis">
    May
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="May" data-md-level="3">
        <label class="md-nav__title" for="__nav_2_2_3">
          <span class="md-nav__icon md-icon"></span>
          May
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
    
  
  
    <li class="md-nav__item md-nav__item--active">
      
      <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
      
      
      
        <label class="md-nav__link md-nav__link--active" for="__toc">
          
  
  <span class="md-ellipsis">
    A peek behind the BPFDoor
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <a href="./" class="md-nav__link md-nav__link--active">
        
  
  <span class="md-ellipsis">
    A peek behind the BPFDoor
  </span>

      </a>
      
        

<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#preamble" class="md-nav__link">
    Preamble
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#general-analysis" class="md-nav__link">
    General Analysis
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#attack-lifecycle" class="md-nav__link">
    Attack Lifecycle
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#defense-evasion-insights" class="md-nav__link">
    Defense Evasion Insights
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#bpf-filters" class="md-nav__link">
    BPF Filters
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#historical-analysis" class="md-nav__link">
    Historical Analysis
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#linux-malware-sophistication" class="md-nav__link">
    Linux Malware Sophistication
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#detection-of-bpfdoor" class="md-nav__link">
    Detection of BPFDoor
  </a>
  
    <nav class="md-nav" aria-label="Detection of BPFDoor">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#existing-detection-rules" class="md-nav__link">
    Existing Detection Rules
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#hunting-queries" class="md-nav__link">
    Hunting Queries
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#yara-rules" class="md-nav__link">
    YARA Rules
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#interacting-with-bpfdoor" class="md-nav__link">
    Interacting with BPFDoor
  </a>
  
    <nav class="md-nav" aria-label="Interacting with BPFDoor">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#bpfdoor-scanner" class="md-nav__link">
    BPFDoor Scanner
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#bpfdoor-configuration-extractor" class="md-nav__link">
    BPFDoor Configuration Extractor
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#bpfdoor-client-poc" class="md-nav__link">
    BPFDoor Client POC
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#impact" class="md-nav__link">
    Impact
  </a>
  
    <nav class="md-nav" aria-label="Impact">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#tactics" class="md-nav__link">
    Tactics
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#techniques-sub-techniques" class="md-nav__link">
    Techniques (sub-techniques)
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#source-pseudocode" class="md-nav__link">
    Source Pseudocode
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#summary" class="md-nav__link">
    Summary
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#observables" class="md-nav__link">
    Observables
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#references" class="md-nav__link">
    References
  </a>
  
</li>
      
    </ul>
  
</nav>
      
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

    
      
      
      


  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
      
      
      
      
        <label class="md-nav__link" for="__nav_3">
          
  
  <span class="md-ellipsis">
    Malware Analysis
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="Malware Analysis" data-md-level="1">
        <label class="md-nav__title" for="__nav_3">
          <span class="md-nav__icon md-icon"></span>
          Malware Analysis
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../malware/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Elastic Malware Analysis
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2" type="checkbox" id="__nav_3_2" >
      
      
      
      
        <label class="md-nav__link" for="__nav_3_2">
          
  
  <span class="md-ellipsis">
    2022
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="2022" data-md-level="2">
        <label class="md-nav__title" for="__nav_3_2">
          <span class="md-nav__icon md-icon"></span>
          2022
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_1" type="checkbox" id="__nav_3_2_1" >
      
      
      
      
        <label class="md-nav__link" for="__nav_3_2_1">
          
  
  <span class="md-ellipsis">
    January
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="January" data-md-level="3">
        <label class="md-nav__title" for="__nav_3_2_1">
          <span class="md-nav__icon md-icon"></span>
          January
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../malware/2022/01/01.operation-bleeding-bear/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Operation Bleeding Bear
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2_2" type="checkbox" id="__nav_3_2_2" >
      
      
      
      
        <label class="md-nav__link" for="__nav_3_2_2">
          
  
  <span class="md-ellipsis">
    May
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="May" data-md-level="3">
        <label class="md-nav__title" for="__nav_3_2_2">
          <span class="md-nav__icon md-icon"></span>
          May
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../malware/2022/05/02.blister/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    BLISTER Loader
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

    
      
      
      


  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4">
          
  
  <span class="md-ellipsis">
    Whitepapers
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="Whitepapers" data-md-level="1">
        <label class="md-nav__title" for="__nav_4">
          <span class="md-nav__icon md-icon"></span>
          Whitepapers
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../whitepapers/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Elastic Whitepapers
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_2" type="checkbox" id="__nav_4_2" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4_2">
          
  
  <span class="md-ellipsis">
    2022
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="2022" data-md-level="2">
        <label class="md-nav__title" for="__nav_4_2">
          <span class="md-nav__icon md-icon"></span>
          2022
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_2_1" type="checkbox" id="__nav_4_2_1" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4_2_1">
          
  
  <span class="md-ellipsis">
    February
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="February" data-md-level="3">
        <label class="md-nav__title" for="__nav_4_2_1">
          <span class="md-nav__icon md-icon"></span>
          February
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../whitepapers/2022/02/02.sandboxing-antimalware-products-for-fun-and-profit/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Sandboxing Antimalware Products for Fun and Profit
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../whitepapers/2022/02/03.exploring-windows-uac-bypass-techniques-detection-strategies/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Exploring Windows UAC Bypasses: Techniques and Detection Strategies
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_2_2" type="checkbox" id="__nav_4_2_2" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4_2_2">
          
  
  <span class="md-ellipsis">
    April
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="April" data-md-level="3">
        <label class="md-nav__title" for="__nav_4_2_2">
          <span class="md-nav__icon md-icon"></span>
          April
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../whitepapers/2022/04/04.hunting-for-credential-access/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Detect Credential Access with Elastic Security
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_3" type="checkbox" id="__nav_4_3" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4_3">
          
  
  <span class="md-ellipsis">
    2021
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="2021" data-md-level="2">
        <label class="md-nav__title" for="__nav_4_3">
          <span class="md-nav__icon md-icon"></span>
          2021
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4_3_1" type="checkbox" id="__nav_4_3_1" >
      
      
      
      
        <label class="md-nav__link" for="__nav_4_3_1">
          
  
  <span class="md-ellipsis">
    July
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="July" data-md-level="3">
        <label class="md-nav__title" for="__nav_4_3_1">
          <span class="md-nav__icon md-icon"></span>
          July
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../whitepapers/2021/07/01.threat-intel-filebeat-module/article/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Ingesting threat data with the Threat Intel Filebeat module
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

    
      
      
      


  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
      
      
      
      
        <label class="md-nav__link" for="__nav_5">
          
  
  <span class="md-ellipsis">
    Tools
  </span>

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="Tools" data-md-level="1">
        <label class="md-nav__title" for="__nav_5">
          <span class="md-nav__icon md-icon"></span>
          Tools
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tools/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Research Tools
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tools/blister-config-extractor/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    BLISTER Configuration Extractor
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tools/bpfdoor-config-extractor/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    BPFDoor Configuration Extractor
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tools/bpfdoor-scanner/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    BPFDoor Scanner
  </span>

      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tools/cobalt-strike-extractor/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Cobalt Strike Beacon Extractor
  </span>

      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

    
      
      
      


  
  
  
    <li class="md-nav__item">
      <a href="../../../../../tags/" class="md-nav__link">
        
  
  <span class="md-ellipsis">
    Tag Index
  </span>

      </a>
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
              
              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    

<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#preamble" class="md-nav__link">
    Preamble
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#general-analysis" class="md-nav__link">
    General Analysis
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#attack-lifecycle" class="md-nav__link">
    Attack Lifecycle
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#defense-evasion-insights" class="md-nav__link">
    Defense Evasion Insights
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#bpf-filters" class="md-nav__link">
    BPF Filters
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#historical-analysis" class="md-nav__link">
    Historical Analysis
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#linux-malware-sophistication" class="md-nav__link">
    Linux Malware Sophistication
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#detection-of-bpfdoor" class="md-nav__link">
    Detection of BPFDoor
  </a>
  
    <nav class="md-nav" aria-label="Detection of BPFDoor">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#existing-detection-rules" class="md-nav__link">
    Existing Detection Rules
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#hunting-queries" class="md-nav__link">
    Hunting Queries
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#yara-rules" class="md-nav__link">
    YARA Rules
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#interacting-with-bpfdoor" class="md-nav__link">
    Interacting with BPFDoor
  </a>
  
    <nav class="md-nav" aria-label="Interacting with BPFDoor">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#bpfdoor-scanner" class="md-nav__link">
    BPFDoor Scanner
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#bpfdoor-configuration-extractor" class="md-nav__link">
    BPFDoor Configuration Extractor
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#bpfdoor-client-poc" class="md-nav__link">
    BPFDoor Client POC
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#impact" class="md-nav__link">
    Impact
  </a>
  
    <nav class="md-nav" aria-label="Impact">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#tactics" class="md-nav__link">
    Tactics
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#techniques-sub-techniques" class="md-nav__link">
    Techniques (sub-techniques)
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#source-pseudocode" class="md-nav__link">
    Source Pseudocode
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#summary" class="md-nav__link">
    Summary
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#observables" class="md-nav__link">
    Observables
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#references" class="md-nav__link">
    References
  </a>
  
</li>
      
    </ul>
  
</nav>
                  </div>
                </div>
              </div>
            
          
          <div class="md-content" data-md-component="content">
            <article class="md-content__inner md-typeset">
              
                

  

  <nav class="md-tags" >
    
      
        <a href="../../../../../tags/#bpfdoor" class="md-tag">
          BPFDoor
        </a>
      
    
      
        <a href="../../../../../tags/#malware" class="md-tag">
          Malware
        </a>
      
    
      
        <a href="../../../../../tags/#red-menshen" class="md-tag">
          Red Menshen
        </a>
      
    
  </nav>



  <h1>A peek behind the BPFDoor</h1>


<aside class="mdx-author" markdown>
  <p>
  
  
  <img alt="@DefSecSentinel" src="https://avatars.githubusercontent.com/u/48036388?v=4" class="avatar" />
  
  
  
  <img alt="@tabell" src="https://avatars.githubusercontent.com/u/5386353?v=4" class="avatar" />
  
  
  
  <img alt="@rhysre" src="https://avatars.githubusercontent.com/u/91164188?v=4" class="avatar" />
  
  
  
  <img alt="@jtnk" src="https://avatars.githubusercontent.com/u/18609142?v=4" class="avatar" />
  
  
  </p>
  <p>
    <span>
    
      <strong>Colson Wilhoit</strong> · <a class="magiclink magiclink-github magiclink-mention" href="https://github.com/DefSecSentinel" title="GitHub User: DefSecSentinel">@DefSecSentinel</a>
       | 
    
      <strong>Alex Bell</strong> · <a class="magiclink magiclink-github magiclink-mention" href="https://github.com/tabell" title="GitHub User: tabell">@tabell</a>
       | 
    
      <strong>Rhys Rustad-Elliott</strong> · <a class="magiclink magiclink-github magiclink-mention" href="https://github.com/rhysre" title="GitHub User: rhysre">@rhysre</a>
       | 
    
      <strong>Jake King</strong> · <a class="magiclink magiclink-github magiclink-mention" href="https://github.com/jtnk" title="GitHub User: jtnk">@jtnk</a>
      
    
    </span>
    <span>
      <span class="twemoji"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill-rule="evenodd" d="M6.75 0a.75.75 0 0 1 .75.75V3h9V.75a.75.75 0 0 1 1.5 0V3h2.75c.966 0 1.75.784 1.75 1.75v16a1.75 1.75 0 0 1-1.75 1.75H3.25a1.75 1.75 0 0 1-1.75-1.75v-16C1.5 3.784 2.284 3 3.25 3H6V.75A.75.75 0 0 1 6.75 0zm-3.5 4.5a.25.25 0 0 0-.25.25V8h18V4.75a.25.25 0 0 0-.25-.25H3.25zM21 9.5H3v11.25c0 .138.112.25.25.25h17.5a.25.25 0 0 0 .25-.25V9.5z"></path></svg></span>
      2022-05-17
      </span>
  </p>
</aside>


<h2 id="preamble">Preamble<a class="headerlink" href="#preamble" title="Permanent link">&para;</a></h2>
<p><a href="https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896">BPFDoor</a> is a backdoor payload specifically crafted for Linux. Its purpose is for long-term persistence in order to gain re-entry into a previously or actively compromised target environment. It notably utilizes BPF along with a number of other techniques to achieve this goal, taking great care to be as efficient and stealthy as possible. PWC researchers discovered this very interesting piece of malware in 2021. PWC attributes this back door to a specific group from China, Red Menshen, and detailed a number of interesting components in a high-level threat research post released <a href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf">last week</a>.</p>
<p>PWC’s findings indicated that ​​Red Menshen had focused their efforts on targeting specific Telecommunications, Government, Logistics, and Education groups across the Middle East and Asia. This activity has been across a Monday-to-Friday working period, between 01:00 UTC and 10:00 UTC, indicating that the operators of the malware were consistent in their attacks, and operation during a working week.</p>
<p>Perhaps most concerningly, the payload itself has been observed across the last 5 years in various phases of development and complexity, indicating that the threat actor responsible for operating the malware has been at it for some time, undetected in many environments.</p>
<div class="admonition tip">
<p class="admonition-title">BPFDoor Tools</p>
<p>The Elastic Security Team has created a few tools that will aid researchers in analyzing the BPFDoor malware.</p>
<p>The BPFDoor scanner will allow you to scan for hosts infected with the BPFDoor malware and the BPFDoor configuration extractor will allow you to extrapolate the malware’s configuration or hardcoded values which can lead to additional observations you can use for further analysis, developing additional signatures or connecting to the backdoor utilizing our client.</p>
<ul>
<li><a href="../../../../../tools/bpfdoor-scanner/">BPFDoor scanner</a></li>
<li><a href="../../../../../tools/bpfdoor-config-extractor/">BPFDoor configuration extractor</a></li>
</ul>
</div>
<h2 id="general-analysis">General Analysis<a class="headerlink" href="#general-analysis" title="Permanent link">&para;</a></h2>
<p>Red Menshen has leveraged a network of VPS servers to act as a controller network and access these systems via compromised routers based out of Taiwan. The routers act as a VPN network for the adversarial groups via a sequence of specifically crafted packets sent to an infected host. <a href="https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896">Researchers</a> have indicated that this payload is pervasive and that compromised hosts have been observed across the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.</p>
<p>BPF-based malware payloads, while ultimately uncommon, serve a specific purpose on Linux-based hosts where stealthy and performant operations are critical for success. Tools such as <a href="https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896">BPFDoor</a> are not alone. Recently, <a href="https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/">Pangu Labs</a> discovered a payload by the name of  <a href="https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/">Bvp47</a>, a sensor that used stealthy BPF-based telemetry to acquire detailed information about the workloads running on infected hosts.</p>
<p><a href="https://ebpf.io/">eBPF</a> (Extended Berkeley Packet Filters), a new evolution of BPF used increasingly today, is gaining popularity amongst system operators given its efficiency and proven, powerful capabilities leveraged often for system performance, network, and security telemetry collection. Adversaries are taking note and it is our assumption that malware targeting cloud systems will increasingly leverage these methods in the future.</p>
<h2 id="attack-lifecycle">Attack Lifecycle<a class="headerlink" href="#attack-lifecycle" title="Permanent link">&para;</a></h2>
<p>This inherently passive backdoor payload is built to be a form of persistence –  a method to regain access if the first or second stage payloads are lost. It is built for and intended to be installed on high-uptime servers or appliances, IoT/SCADA, or cloud systems with access to the Internet.  The backdoor usually sits in temporary storage so if a server were to be rebooted or shut down, the backdoor would be lost.</p>
<p>It should be assumed that if this malware is found on a system the initial-access (1st stage) or post-exploitation (2nd stage) payloads are still most likely present and possibly active elsewhere in the environment. This backdoor excels at stealth, taking every opportunity to blend in and remain undetected.</p>
<p>In the below steps, we will break BPFDoor’s actions down according to the vast majority of the samples available.</p>
<ol>
<li>When executed the binary copies itself into <code>/dev/shm/</code>. A temporary filesystem <code>/dev/shm</code> stands for shared memory and is a temporary file storage facility serving as an efficient means of inter-process communication</li>
<li>Renames its process to <code>kdmtmpflush</code>, a hardcoded process name</li>
<li>Initializes itself with the <code>-init</code> flag and forks itself. Forking in Linux means creating a new process by duplicating the calling process</li>
<li>Deletes itself by removing the original binary invoked. The forked process continues to run</li>
<li>Alters the forked processes&rsquo; creation and modification time values, also known as <a href="https://attack.mitre.org/techniques/T1070/006/">timestomping</a></li>
<li>Creates a new process environment for itself and removes the old one setting (spoofing) a new process name. It changes the way it appears on the system akin to wearing a mask. The process is still <code>kdmtmpflush</code> but if you were to run a ps you would see whatever value it set</li>
<li>Creates a process ID (PID) file in <code>/var/run</code>. PID files are text files containing the process of the associated program meant for preventing multiple starts, marking residency, and used by the program to stop itself. This file resides in <code>/var/run</code>, another temporary file storage facility</li>
<li>Creates a raw network socket. On Linux, a socket is an endpoint for network communication that allows you to specify in detail every section of a packet allowing a user to implement their own transport layer protocol above the internet (IP) level</li>
<li>Sets BPF filters on the raw socket. <a href="https://www.kernel.org/doc/html/v5.12/networking/filter.html">BPF</a> allows a user-space program to attach a filter onto any socket and allow or disallow certain types of data to come through the socket</li>
<li>Observes incoming packets</li>
<li>If a packet is observed that matches the BPF filters and contains the required data it is passed to the backdoor for processing</li>
<li>It forks the current process again</li>
<li>Changes the forked processes working directory to <code>/</code></li>
<li>Changes (spoofs) the name of the forked process to a hardcoded value</li>
<li>Based on the password or existence of a password sent in the “magic packet” the backdoor provides a reverse shell, establishes a bind shell, or sends back a ping</li>
</ol>
<div class="admonition note">
<p class="admonition-title">Atypical BPFDoor sample</p>
<p>Of note there is one <a href="https://www.virustotal.com/gui/file/07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d/detection">sample</a> we have come across that does not seem to exhibit steps 1 - 4. It doesn’t alter its initial name to a hardcoded value and simply executes from its placed location, otherwise, it models the same behavior.</p>
</div>
<p>Below you can see visual representations of the BPFDoor process tree, utilizing Elastic’s Analyzer View. The first image displays the tree prior to active use of the backdoor (i.e reverse shell, bind shell, or pingback) and the second image after a reverse shell has connected and performed post-exploitation activities.  </p>
<figure>
<p><img alt="Elastic Analyzer View of the BPFDoor initial invocation process tree" src="../media/image12.png" title="Elastic Analyzer View of the BPFDoor initial invocation process tree" /></p>
<figcaption>Elastic Analyzer View of the BPFDoor initial invocation process tree</figcaption>
</figure>
<figure>
<p><img alt="Elastic Analyzer View of BPFDoor following a reverse shell connection and post exploitation actions" src="../media/image1.png" title="Elastic Analyzer View of BPFDoor following a reverse shell connection and post exploitation actions" /></p>
<figcaption>Elastic Analyzer View of BPFDoor following a reverse shell connection and post exploitation actions</figcaption>
</figure>
<h2 id="defense-evasion-insights">Defense Evasion Insights<a class="headerlink" href="#defense-evasion-insights" title="Permanent link">&para;</a></h2>
<p>BPFDoor is interesting given the anti-forensics, and obfuscation tactics used. Astute readers will observe slight differences in the PID tree visible when running a <code>ps ajxf</code> on an infected host when compared to executed data within the Analyzer View inside of Elastic. This is due to the process name spoofing mentioned in step 6 (above) of the attack lifecycle above. The image below is taken from a system running BPFDoor with an active reverse shell connection established:</p>
<figure>
<p><img alt="An observed running process created by the BPFDoor reverse shell" src="../media/image4.png" title="An observed running process created by the BPFDoor reverse shell" /></p>
<figcaption>An observed running process created by the BPFDoor reverse shell</figcaption>
</figure>
<p>The difference lies in the fact that <code>kdmtmpflush</code> and <code>sh</code> are run prior to spoofing, and are captured at runtime by Elastic Endpoint. This is an accurate representation of the processes active on the host, further confirming the importance of appropriate observation software for Linux hosts - you can’t always trust what you see on the local system:</p>
<figure>
<p><img alt="Elastic Analyzer View of BPFDoor demonstrating real process capture." src="../media/image7.png" title="Elastic Analyzer View of BPFDoor demonstrating real process capture." /></p>
<figcaption>Elastic Analyzer View of BPFDoor demonstrating real process capture.</figcaption>
</figure>
<p>BPFDoor also holds in its repertoire the ability to subvert the traditional Linux socket client - server architecture in order to hide its malicious traffic. The methods which it utilizes to achieve this are both unusual and intriguing.</p>
<p>The sockets interface is almost synonmous with TCP/IP communication.  This simple interface has endured for over 40 years - predating both Linux and Windows implementations.</p>
<figure>
<p><img alt="Example of how TCP/IP and socket interfaces function" src="../media/image3.png" title="Example of how TCP/IP and socket interfaces function" /></p>
<figcaption>Example of how TCP/IP and socket interfaces function</figcaption>
</figure>
<p>BPFDoor uses a raw socket (as opposed to &lsquo;cooked&rsquo; ones that handle IP/TCP/UDP headers transparently) to observe every packet arriving at the machine, ethernet frame headers and all.  While this might sound like a stealthy way to intercept traffic, it&rsquo;s actually not – on any machine with a significant amount of network traffic the CPU usage will be consistently high.</p>
<p>That&rsquo;s where BPF comes in - an extremely efficient, kernel-level packet filter is the perfect tool to allow the implant to ignore 99% of network traffic and only become activated when a special pattern is encountered. This implant looks for a so-called magic packet in every TCP, UDP and ICMP packet received on the system.</p>
<p>Once activated, a typical reverse shell - which this back door also supports - creates an outbound connection to a listener set up by the attacker. This has the advantage of bypassing firewalls watching inbound traffic only.  This method is well-understood by defenders, however. The sneakiest way to get a shell connected would be to reuse an existing packet flow, redirected to a separate process.</p>
<p>In this attack, the initial TCP handshake is done between the attacker and a completely legitimate process – for example nginx or sshd. These handshake packets happen to be also delivered to the backdoor (like every packet on the system) but are filtered out by BPF. Once the connection is established, however, BPFDoor sends a magic packet to the legitimate service. The implant receives it and makes a note of the originating IP and port the attacker is using, and it opens a new listening socket on an inconspicuous port (42391 - 43391).</p>
<p>The implant then reconfigures the firewall to temporarily redirect all traffic from the attacker’s IP/port combination to the new listening socket.  The attacker initiates a second TCP handshake on the same legitimate port as before, only now iptables forwards those packets to the listening socket owned by the implant. . This establishes the communication channel between attacker and implant that will be used for command and control. The implant then covers its tracks by removing the iptables firewall rules that redirected the traffic.</p>
<p>Despite the firewall rule being removed, traffic on the legitimate port will continue to be forwarded to the implant due to how Linux statefully tracks connections. No visible traffic will be addressed to the implant port (although it will be delivered there).</p>
<figure>
<p><img alt="A diagram representing the aforementioned network flows" src="../media/image14.png" title="A diagram representing the aforementioned network flows" /></p>
<figcaption>A diagram representing the aforementioned network flows</figcaption>
</figure>
<h2 id="bpf-filters">BPF Filters<a class="headerlink" href="#bpf-filters" title="Permanent link">&para;</a></h2>
<p>As stated in step 9 (above), <a href="https://www.kernel.org/doc/html/v5.12/networking/filter.html">BPF</a> or Berkeley Packet Filters is a technology from the early ’90s that allows a user-space program to attach a network filter onto any socket and allow or disallow certain types of data to come through the socket. These filters are made up of bytecode that runs on an abstract virtual machine in the Linux kernel. The BPF virtual machine has functionality to inspect all parts of incoming packets and make an allow/drop decision based on what it sees. . You can see in the image example below what this looks like within the BPFDoor source code:</p>
<figure>
<p><img alt="BPFDoor source code BPF Filters" src="../media/image6.png" title="BPFDoor source code BPF Filters" /></p>
<figcaption>BPFDoor source code BPF Filters</figcaption>
</figure>
<p>We took this BPF code, converted it, and wrote it up as pseudo code in an effort to aid our research and craft packets able to successfully get through these filters in order to activate the backdoor.</p>
<figure>
<p><img alt="BPFDoor source code BPF Filter Pseudocode" src="../media/image5.png" title="BPFDoor source code BPF Filter Pseudocode" /></p>
<figcaption>BPFDoor source code BPF Filter Pseudocode</figcaption>
</figure>
<p>The above capabilities allow BPFDoor to attach a filter onto any socket and allow or disallow certain types of data to come through the socket - used carefully by the adversary to invoke a series of different functions within the payload.</p>
<h2 id="historical-analysis">Historical Analysis<a class="headerlink" href="#historical-analysis" title="Permanent link">&para;</a></h2>
<p>We wanted to see over time, between BPFDoor payloads, what, if anything, the threat actors modified. A number of samples were detonated and analyzed ranging from the uploaded source code to a <a href="https://www.virustotal.com/gui/file/599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683/detection">sample</a> uploaded last month. We found that the behavior over time did not change a great deal. It maintained the same relative attack lifecycle with a few variations with the hardcoded values such as passwords, process names, and files - this is not uncommon when compared to other malware samples that look to evade detection or leverage payloads across a variety of victims.</p>
<p>We posture that the threat group would change passwords and update process or file names in an effort to improve operational security and remain hidden. It also makes sense that the general functionality of the backdoor would not change in any great way. As the saying goes “If it&rsquo;s not broken, don’t fix it”. Our malware analysis and reverse engineering team compared the source code (uploaded to <a href="https://www.virustotal.com/gui/file/8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6/detection">VirusTotal</a> and found on <a href="https://pastebin.com/raw/kmmJuuQP">Pastebin</a>) to a recently uploaded sample highlighting some of the notable changes within the main function of the malware in the images below.</p>
<figure>
<p><img alt="A side by side comparison of the main functions for the Pastebin source code and a sample uploaded to VT last month focusing on the hardcoded string values for the passwords, process names and file name" src="../media/image10.png" title="A side by side comparison of the main functions for the Pastebin source code and a sample uploaded to VT last month focusing on the hardcoded string values for the passwords, process names and file name" /></p>
<figcaption>A side by side comparison of the main functions for the Pastebin source code and a sample uploaded to VT last month focusing on the hardcoded string values for the passwords, process names and file name</figcaption>
</figure>
<p>As we mentioned earlier, one recent <a href="https://www.virustotal.com/gui/file/07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d/detection">sample</a> we have come across that does not seem to exhibit some of the tactics of prior payloads has been observed - It doesn’t alter its initial name to a hardcoded value and simply executes from its placed location, otherwise, it models relatively the same behavior.</p>
<h2 id="linux-malware-sophistication">Linux Malware Sophistication<a class="headerlink" href="#linux-malware-sophistication" title="Permanent link">&para;</a></h2>
<p>A trend we have had the privilege of observing at Elastic, is the threat landscape of Linux targeted attacks - these being focused often on cloud workloads, or systems that typically have less observational technology configured in many of the environments we see. The trend of complex, well-designed payloads is something that is often simply overlooked, and specifically in the case of BPFDoor, remained hidden for years.</p>
<p>It is important to consider these workloads a critical component of your security posture: A lack of visibility within cloud workloads will eventually lead to large gaps in security controls - adversarial groups are further growing to understand these trends, and act accordingly. Best practices state that endpoint defenses should be consistent across the fleet of systems under management, and conform to a least privilege architecture.</p>
<h2 id="detection-of-bpfdoor">Detection of BPFDoor<a class="headerlink" href="#detection-of-bpfdoor" title="Permanent link">&para;</a></h2>
<p>After researching this malware it became apparent as to why the backdoor remained in use and hidden for so long. If you aren’t intimately familiar with Linux process abnormalities or weren’t looking for it you would generally not detect it. Even though it takes advantage of Linux capabilities in a stealthy manner to evade detection, there are still opportunities for both behavioral and signature-based detections.</p>
<p>The first area of opportunity we witnessed while testing was the behavior we observed during the initial execution of the malware, specifically its working directory, in a shared memory location <code>/dev/shm</code>. This is a native temporary filesystem location in Linux that uses RAM for storage, and a binary executing from it let alone generating network connections is fairly uncommon in practice.</p>
<p>During execution, BPFDoor removes existing files from <code>/dev/shm</code> and copies itself there prior to initialization. A detection for this would be any execution of a binary from this directory as root (you have to be root to write to and read from this directory).</p>
<p>This was verified by detonating the binary in a VM while our Elastic Agent was installed and observing the sequence of events. You can see an image of this detection on the Kibana Security Alerts page below. This rule is publicly available as an Elastic SIEM detection rule - <a href="https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_process_started_in_shared_memory_directory.toml">Binary Executed from Shared Memory Directory</a>:</p>
<figure>
<p><img alt="Elastic Alert in Kibana - Binary Executed from Shared Memory Directory" src="../media/image8.png" title="Elastic Alert in Kibana - Binary Executed from Shared Memory Directory" /></p>
<figcaption>Elastic Alert in Kibana - Binary Executed from Shared Memory Directory</figcaption>
</figure>
<p>The second opportunity we noticed, for detection, was a specific PID file being created in <code>/var/run</code>. We noticed the dropped PID file was completely empty while doing a quick query via the <a href="https://docs.elastic.co/en/integrations/osquery_manager">Osquery integration</a> to the <code>/var/run</code> directory. While this is not inherently malicious, it is unusual for the file size of a PID to be <code>0</code> or above <code>10</code> bytes and thus we created an additional rule centered around detecting this unusual behavior.</p>
<p>Our <a href="https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_abnormal_process_id_file_created.toml">Abnormal Process ID or Lock File Created</a> rule identifies the creation of a PID file in the main directory of <code>/var/run</code> with no subdirectory, ignoring common PID files to be expected:</p>
<figure>
<p><img alt="Elastic Alert in Kibana - Abnormal Process ID or Lock File Created" src="../media/image11.png" title="Elastic Alert in Kibana - Abnormal Process ID or Lock File Created" /></p>
<figcaption>Elastic Alert in Kibana - Abnormal Process ID or Lock File Created</figcaption>
</figure>
<p>The third area we wanted to look at was the network connections tied to two of the three capabilities (reverse shell and bind shell) the backdoor possesses. We wanted to see if there were any suspicious network connections tied to process or user abnormalities we could sequence together based off of the way BPFDoor handles establishing a reverse or bind shell.</p>
<p>The reverse shell was the first capability focused on. Taking a deep look at the process tree in and around the reverse shell establishment allowed us to key in on what would be considered a strange or even abnormal sequence of events leading to and involving an outbound network connection.</p>
<p>We developed a hunt rule sequence that identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. The reason we developed these network focused hunt rules is due to possible performance issues caused if running these continually. </p>
<p>The bind shell was the last capability we honed in on. Identifying an abnormal sequence of events surrounding the bind shell connection was difficult due to the way it forks then accepts the connection and kills the accepting process post established connection. Therefore we had to focus on the sequence of events within the process entity id directly involving the network connection and subsequent killing of the accepting process.</p>
<p>After developing the 2 detection rules along with the 2 hunt rules listed below and in addition to the 6 YARA signatures deployed we were able to detect BPFDoor in a myriad of different ways and within different stages of its life cycle. As stated earlier though, if you detect this malware in your environment it should be the least of your concerns given the threat actor will most likely have already successfully compromised your network via other means.</p>
<figure>
<p><img alt="Elastic Detection Summary of complete BPFDoor attack lifecycle" src="../media/image2.png" title="Elastic Detection Summary of complete BPFDoor attack lifecycle" /></p>
<figcaption>Elastic Detection Summary of complete BPFDoor attack lifecycle</figcaption>
</figure>
<h3 id="existing-detection-rules">Existing Detection Rules<a class="headerlink" href="#existing-detection-rules" title="Permanent link">&para;</a></h3>
<p>The following Elastic Detection Rules will identify BPFDoor activity:</p>
<ul>
<li><a href="https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_abnormal_process_id_file_created.toml">Abnormal Process ID or Lock File Created</a></li>
<li><a href="https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_process_started_in_shared_memory_directory.toml">Binary Executed from Shared Memory Directory</a></li>
</ul>
<h3 id="hunting-queries">Hunting Queries<a class="headerlink" href="#hunting-queries" title="Permanent link">&para;</a></h3>
<p>This EQL rule can be used to successfully identify BPFDoor reverse shell connections having been established within your environment:</p>
<div class="highlight"><span class="filename">EQL BPFDoor reverse shell hunt query</span><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="k">sequence</span><span class="w"> </span><span class="k k-QueryModifier">by</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="n">entity_id</span><span class="w"> </span><span class="k k-QueryModifier">with</span><span class="w"> </span><span class="n">maxspan</span><span class="o">=</span><span class="ld">1m</span><span class="w"></span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="p">[</span><span class="n">network</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">type</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;start&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;connection_attempted&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;0&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="n">executable</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="p">(</span><span class="s">&quot;/bin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/sbin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/usr/lib/systemd/systemd&quot;</span><span class="p">)]</span><span class="w"></span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="p">[</span><span class="n">process</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;session_id_change&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;0&quot;</span><span class="p">]</span><span class="w"></span>
</code></pre></div>
<figure>
<p><img alt="Elastic Alert in Kibana - Suspicious Network Connection Attempt by Root" src="../media/image15.png" title="Elastic Alert in Kibana - Suspicious Network Connection Attempt by Root" /></p>
<figcaption>Elastic Alert in Kibana - Suspicious Network Connection Attempt by Root</figcaption>
</figure>
<p>The hunt rule we created here identifies a sequence of events beginning with a session id change, followed by a network connection accepted, in correlation with ptmx file creation and a deletion of the process responsible for accepting the network connection. This EQL rule can be used to successfully identify BPFDoor bind shell connections within your environment:</p>
<div class="highlight"><span class="filename">EQL BPFDoor bind shell hunt query</span><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="k">sequence</span><span class="w"> </span><span class="k k-QueryModifier">by</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="n">entity_id</span><span class="w"> </span><span class="k k-QueryModifier">with</span><span class="w"> </span><span class="n">maxspan</span><span class="o">=</span><span class="ld">1m</span><span class="w"></span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="p">[</span><span class="n">process</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">type</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;change&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;session_id_change&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="n">executable</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="p">(</span><span class="s">&quot;/bin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/sbin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/usr/lib/systemd/systemd&quot;</span><span class="p">)]</span><span class="w"></span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="p">[</span><span class="n">network</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">type</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;start&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;connection_accepted&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">]</span><span class="w"></span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="p">[</span><span class="n">file</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;creation&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">file</span><span class="p">.</span><span class="n">path</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;/dev/ptmx&quot;</span><span class="p">]</span><span class="w"></span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a><span class="p">[</span><span class="n">process</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">event</span><span class="p">.</span><span class="n">action</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;end&quot;</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">user</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="n">executable</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="p">(</span><span class="s">&quot;/bin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/sbin/ssh&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;/usr/lib/systemd/systemd&quot;</span><span class="p">)]</span><span class="w"></span>
</code></pre></div>
<figure>
<p><img alt="Elastic Alert in Kibana - Suspicious Network Connection Accept by Root" src="../media/image9.png" title="Elastic Alert in Kibana - Suspicious Network Connection Accept by Root" /></p>
<figcaption>Elastic Alert in Kibana - Suspicious Network Connection Accept by Root</figcaption>
</figure>
<h3 id="yara-rules">YARA Rules<a class="headerlink" href="#yara-rules" title="Permanent link">&para;</a></h3>
<p>In addition to behavioral detection rules in the Elastic Endpoint, we are releasing a set of BPFDoor Yara signatures for the community.</p>
<div class="highlight"><span class="filename">BPFDoor YARA rule</span><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>rule Linux_Trojan_BPFDoor_1 {
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a>    meta:
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-8" name="__codelineno-2-8" href="#__codelineno-2-8"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-9" name="__codelineno-2-9" href="#__codelineno-2-9"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-10" name="__codelineno-2-10" href="#__codelineno-2-10"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-11" name="__codelineno-2-11" href="#__codelineno-2-11"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-12" name="__codelineno-2-12" href="#__codelineno-2-12"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-13" name="__codelineno-2-13" href="#__codelineno-2-13"></a>        reference_sample = &quot;144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3&quot;
<a id="__codelineno-2-14" name="__codelineno-2-14" href="#__codelineno-2-14"></a>    strings:
<a id="__codelineno-2-15" name="__codelineno-2-15" href="#__codelineno-2-15"></a>        $a1 = &quot;hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event&quot; ascii fullword
<a id="__codelineno-2-16" name="__codelineno-2-16" href="#__codelineno-2-16"></a>        $a2 = &quot;/sbin/iptables -t nat -D PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d&quot; ascii fullword
<a id="__codelineno-2-17" name="__codelineno-2-17" href="#__codelineno-2-17"></a>        $a3 = &quot;avahi-daemon: chroot helper&quot; ascii fullword
<a id="__codelineno-2-18" name="__codelineno-2-18" href="#__codelineno-2-18"></a>        $a4 = &quot;/sbin/mingetty /dev/tty6&quot; ascii fullword
<a id="__codelineno-2-19" name="__codelineno-2-19" href="#__codelineno-2-19"></a>        $a5 = &quot;ttcompat&quot; ascii fullword
<a id="__codelineno-2-20" name="__codelineno-2-20" href="#__codelineno-2-20"></a>    condition:
<a id="__codelineno-2-21" name="__codelineno-2-21" href="#__codelineno-2-21"></a>        all of them
<a id="__codelineno-2-22" name="__codelineno-2-22" href="#__codelineno-2-22"></a>}
<a id="__codelineno-2-23" name="__codelineno-2-23" href="#__codelineno-2-23"></a>
<a id="__codelineno-2-24" name="__codelineno-2-24" href="#__codelineno-2-24"></a>rule Linux_Trojan_BPFDoor_2 {
<a id="__codelineno-2-25" name="__codelineno-2-25" href="#__codelineno-2-25"></a>    meta:
<a id="__codelineno-2-26" name="__codelineno-2-26" href="#__codelineno-2-26"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-27" name="__codelineno-2-27" href="#__codelineno-2-27"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-28" name="__codelineno-2-28" href="#__codelineno-2-28"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-29" name="__codelineno-2-29" href="#__codelineno-2-29"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-30" name="__codelineno-2-30" href="#__codelineno-2-30"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-31" name="__codelineno-2-31" href="#__codelineno-2-31"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-32" name="__codelineno-2-32" href="#__codelineno-2-32"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-33" name="__codelineno-2-33" href="#__codelineno-2-33"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-34" name="__codelineno-2-34" href="#__codelineno-2-34"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-35" name="__codelineno-2-35" href="#__codelineno-2-35"></a>        reference_sample = &quot;3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155&quot;
<a id="__codelineno-2-36" name="__codelineno-2-36" href="#__codelineno-2-36"></a>    strings:
<a id="__codelineno-2-37" name="__codelineno-2-37" href="#__codelineno-2-37"></a>        $a1 = &quot;hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event&quot; ascii fullword
<a id="__codelineno-2-38" name="__codelineno-2-38" href="#__codelineno-2-38"></a>        $a2 = &quot;/sbin/mingetty /dev/tty7&quot; ascii fullword
<a id="__codelineno-2-39" name="__codelineno-2-39" href="#__codelineno-2-39"></a>        $a3 = &quot;pickup -l -t fifo -u&quot; ascii fullword
<a id="__codelineno-2-40" name="__codelineno-2-40" href="#__codelineno-2-40"></a>        $a4 = &quot;kdmtmpflush&quot; ascii fullword
<a id="__codelineno-2-41" name="__codelineno-2-41" href="#__codelineno-2-41"></a>        $a5 = &quot;avahi-daemon: chroot helper&quot; ascii fullword
<a id="__codelineno-2-42" name="__codelineno-2-42" href="#__codelineno-2-42"></a>        $a6 = &quot;/sbin/auditd -n&quot; ascii fullword
<a id="__codelineno-2-43" name="__codelineno-2-43" href="#__codelineno-2-43"></a>    condition:
<a id="__codelineno-2-44" name="__codelineno-2-44" href="#__codelineno-2-44"></a>        all of them
<a id="__codelineno-2-45" name="__codelineno-2-45" href="#__codelineno-2-45"></a>}
<a id="__codelineno-2-46" name="__codelineno-2-46" href="#__codelineno-2-46"></a>
<a id="__codelineno-2-47" name="__codelineno-2-47" href="#__codelineno-2-47"></a>rule Linux_Trojan_BPFDoor_3 {
<a id="__codelineno-2-48" name="__codelineno-2-48" href="#__codelineno-2-48"></a>    meta:
<a id="__codelineno-2-49" name="__codelineno-2-49" href="#__codelineno-2-49"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-50" name="__codelineno-2-50" href="#__codelineno-2-50"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-51" name="__codelineno-2-51" href="#__codelineno-2-51"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-52" name="__codelineno-2-52" href="#__codelineno-2-52"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-53" name="__codelineno-2-53" href="#__codelineno-2-53"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-54" name="__codelineno-2-54" href="#__codelineno-2-54"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-55" name="__codelineno-2-55" href="#__codelineno-2-55"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-56" name="__codelineno-2-56" href="#__codelineno-2-56"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-57" name="__codelineno-2-57" href="#__codelineno-2-57"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-58" name="__codelineno-2-58" href="#__codelineno-2-58"></a>        reference_sample = &quot;591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78&quot;
<a id="__codelineno-2-59" name="__codelineno-2-59" href="#__codelineno-2-59"></a>    strings:
<a id="__codelineno-2-60" name="__codelineno-2-60" href="#__codelineno-2-60"></a>        $a1 = &quot;[-] Spawn shell failed.&quot; ascii fullword
<a id="__codelineno-2-61" name="__codelineno-2-61" href="#__codelineno-2-61"></a>        $a2 = &quot;[+] Packet Successfuly Sending %d Size.&quot; ascii fullword
<a id="__codelineno-2-62" name="__codelineno-2-62" href="#__codelineno-2-62"></a>        $a3 = &quot;[+] Monitor packet send.&quot; ascii fullword
<a id="__codelineno-2-63" name="__codelineno-2-63" href="#__codelineno-2-63"></a>        $a4 = &quot;[+] Using port %d&quot;
<a id="__codelineno-2-64" name="__codelineno-2-64" href="#__codelineno-2-64"></a>        $a5 = &quot;decrypt_ctx&quot; ascii fullword
<a id="__codelineno-2-65" name="__codelineno-2-65" href="#__codelineno-2-65"></a>        $a6 = &quot;getshell&quot; ascii fullword
<a id="__codelineno-2-66" name="__codelineno-2-66" href="#__codelineno-2-66"></a>        $a7 = &quot;getpassw&quot; ascii fullword
<a id="__codelineno-2-67" name="__codelineno-2-67" href="#__codelineno-2-67"></a>        $a8 = &quot;export %s=%s&quot; ascii fullword
<a id="__codelineno-2-68" name="__codelineno-2-68" href="#__codelineno-2-68"></a>    condition:
<a id="__codelineno-2-69" name="__codelineno-2-69" href="#__codelineno-2-69"></a>        all of them
<a id="__codelineno-2-70" name="__codelineno-2-70" href="#__codelineno-2-70"></a>}
<a id="__codelineno-2-71" name="__codelineno-2-71" href="#__codelineno-2-71"></a>
<a id="__codelineno-2-72" name="__codelineno-2-72" href="#__codelineno-2-72"></a>rule Linux_Trojan_BPFDoor_4 {
<a id="__codelineno-2-73" name="__codelineno-2-73" href="#__codelineno-2-73"></a>    meta:
<a id="__codelineno-2-74" name="__codelineno-2-74" href="#__codelineno-2-74"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-75" name="__codelineno-2-75" href="#__codelineno-2-75"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-76" name="__codelineno-2-76" href="#__codelineno-2-76"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-77" name="__codelineno-2-77" href="#__codelineno-2-77"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-78" name="__codelineno-2-78" href="#__codelineno-2-78"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-79" name="__codelineno-2-79" href="#__codelineno-2-79"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-80" name="__codelineno-2-80" href="#__codelineno-2-80"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-81" name="__codelineno-2-81" href="#__codelineno-2-81"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-82" name="__codelineno-2-82" href="#__codelineno-2-82"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-83" name="__codelineno-2-83" href="#__codelineno-2-83"></a>        reference_sample = &quot;591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78&quot;
<a id="__codelineno-2-84" name="__codelineno-2-84" href="#__codelineno-2-84"></a>    strings:
<a id="__codelineno-2-85" name="__codelineno-2-85" href="#__codelineno-2-85"></a>        $a1 = { 45 D8 0F B6 10 0F B6 45 FF 48 03 45 F0 0F B6 00 8D 04 02 00 }
<a id="__codelineno-2-86" name="__codelineno-2-86" href="#__codelineno-2-86"></a>    condition:
<a id="__codelineno-2-87" name="__codelineno-2-87" href="#__codelineno-2-87"></a>        all of them
<a id="__codelineno-2-88" name="__codelineno-2-88" href="#__codelineno-2-88"></a>}
<a id="__codelineno-2-89" name="__codelineno-2-89" href="#__codelineno-2-89"></a>
<a id="__codelineno-2-90" name="__codelineno-2-90" href="#__codelineno-2-90"></a>rule Linux_Trojan_BPFDoor_5 {
<a id="__codelineno-2-91" name="__codelineno-2-91" href="#__codelineno-2-91"></a>    meta:
<a id="__codelineno-2-92" name="__codelineno-2-92" href="#__codelineno-2-92"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-93" name="__codelineno-2-93" href="#__codelineno-2-93"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-94" name="__codelineno-2-94" href="#__codelineno-2-94"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-95" name="__codelineno-2-95" href="#__codelineno-2-95"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-96" name="__codelineno-2-96" href="#__codelineno-2-96"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-97" name="__codelineno-2-97" href="#__codelineno-2-97"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-98" name="__codelineno-2-98" href="#__codelineno-2-98"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-99" name="__codelineno-2-99" href="#__codelineno-2-99"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-100" name="__codelineno-2-100" href="#__codelineno-2-100"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-101" name="__codelineno-2-101" href="#__codelineno-2-101"></a>        reference_sample = &quot;76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925&quot;
<a id="__codelineno-2-102" name="__codelineno-2-102" href="#__codelineno-2-102"></a>    strings:
<a id="__codelineno-2-103" name="__codelineno-2-103" href="#__codelineno-2-103"></a>        $a1 = &quot;getshell&quot; ascii fullword
<a id="__codelineno-2-104" name="__codelineno-2-104" href="#__codelineno-2-104"></a>        $a2 = &quot;/sbin/agetty --noclear tty1 linux&quot; ascii fullword
<a id="__codelineno-2-105" name="__codelineno-2-105" href="#__codelineno-2-105"></a>        $a3 = &quot;packet_loop&quot; ascii fullword
<a id="__codelineno-2-106" name="__codelineno-2-106" href="#__codelineno-2-106"></a>        $a4 = &quot;godpid&quot; ascii fullword
<a id="__codelineno-2-107" name="__codelineno-2-107" href="#__codelineno-2-107"></a>        $a5 = &quot;ttcompat&quot; ascii fullword
<a id="__codelineno-2-108" name="__codelineno-2-108" href="#__codelineno-2-108"></a>        $a6 = &quot;decrypt_ctx&quot; ascii fullword
<a id="__codelineno-2-109" name="__codelineno-2-109" href="#__codelineno-2-109"></a>        $a7 = &quot;rc4_init&quot; ascii fullword
<a id="__codelineno-2-110" name="__codelineno-2-110" href="#__codelineno-2-110"></a>        $b1 = { D0 48 89 45 F8 48 8B 45 F8 0F B6 40 0C C0 E8 04 0F B6 C0 C1 }
<a id="__codelineno-2-111" name="__codelineno-2-111" href="#__codelineno-2-111"></a>    condition:
<a id="__codelineno-2-112" name="__codelineno-2-112" href="#__codelineno-2-112"></a>        all of ($a*) or 1 of ($b*)
<a id="__codelineno-2-113" name="__codelineno-2-113" href="#__codelineno-2-113"></a>}
<a id="__codelineno-2-114" name="__codelineno-2-114" href="#__codelineno-2-114"></a>
<a id="__codelineno-2-115" name="__codelineno-2-115" href="#__codelineno-2-115"></a>rule Linux_Trojan_BPFDoor_6 {
<a id="__codelineno-2-116" name="__codelineno-2-116" href="#__codelineno-2-116"></a>    meta:
<a id="__codelineno-2-117" name="__codelineno-2-117" href="#__codelineno-2-117"></a>        Author = &quot;Elastic Security&quot;
<a id="__codelineno-2-118" name="__codelineno-2-118" href="#__codelineno-2-118"></a>        creation_date = &quot;2022-05-10&quot;
<a id="__codelineno-2-119" name="__codelineno-2-119" href="#__codelineno-2-119"></a>        last_modified = &quot;2022-05-10&quot;
<a id="__codelineno-2-120" name="__codelineno-2-120" href="#__codelineno-2-120"></a>        os = &quot;Linux&quot;
<a id="__codelineno-2-121" name="__codelineno-2-121" href="#__codelineno-2-121"></a>        arch = &quot;x86&quot;
<a id="__codelineno-2-122" name="__codelineno-2-122" href="#__codelineno-2-122"></a>        category_type = &quot;Trojan&quot;
<a id="__codelineno-2-123" name="__codelineno-2-123" href="#__codelineno-2-123"></a>        family = &quot;BPFDoor&quot;
<a id="__codelineno-2-124" name="__codelineno-2-124" href="#__codelineno-2-124"></a>        threat_name = &quot;Linux.Trojan.BPFDoor&quot;
<a id="__codelineno-2-125" name="__codelineno-2-125" href="#__codelineno-2-125"></a>        description = &quot;Detects BPFDoor malware.&quot;
<a id="__codelineno-2-126" name="__codelineno-2-126" href="#__codelineno-2-126"></a>        reference_sample = &quot;dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a&quot;
<a id="__codelineno-2-127" name="__codelineno-2-127" href="#__codelineno-2-127"></a>    strings:
<a id="__codelineno-2-128" name="__codelineno-2-128" href="#__codelineno-2-128"></a>        $a1 = &quot;getpassw&quot; ascii fullword
<a id="__codelineno-2-129" name="__codelineno-2-129" href="#__codelineno-2-129"></a>        $a2 = &quot;(udp[8:2]=0x7255) or (icmp[8:2]=0x7255) or (tcp[((tcp[12]&amp;0xf0)&gt;&gt;2):2]=0x5293)&quot; ascii fullword
<a id="__codelineno-2-130" name="__codelineno-2-130" href="#__codelineno-2-130"></a>        $a3 = &quot;/var/run/haldrund.pid&quot; ascii fullword
<a id="__codelineno-2-131" name="__codelineno-2-131" href="#__codelineno-2-131"></a>        $a4 = &quot;Couldn&#39;t install filter %s: %s&quot; ascii fullword
<a id="__codelineno-2-132" name="__codelineno-2-132" href="#__codelineno-2-132"></a>        $a5 = &quot;godpid&quot; ascii fullword
<a id="__codelineno-2-133" name="__codelineno-2-133" href="#__codelineno-2-133"></a>    condition:
<a id="__codelineno-2-134" name="__codelineno-2-134" href="#__codelineno-2-134"></a>        all of them
<a id="__codelineno-2-135" name="__codelineno-2-135" href="#__codelineno-2-135"></a>}
</code></pre></div>
<h2 id="interacting-with-bpfdoor">Interacting with BPFDoor<a class="headerlink" href="#interacting-with-bpfdoor" title="Permanent link">&para;</a></h2>
<p>The Elastic Security Team has released several tools that can aid in further research regarding BPFDoor to include a network scanner used to identify infected hosts, a BPFDoor malware configuration extractor, and a BPFDoor client binary that can be used to actively interact with a sample.</p>
<h3 id="bpfdoor-scanner">BPFDoor Scanner<a class="headerlink" href="#bpfdoor-scanner" title="Permanent link">&para;</a></h3>
<p>The Elastic Security Team <a href="../../../../../tools/bpfdoor-scanner/">has released</a> a Python script that can identify if you have BPFDoor infected hosts.</p>
<p>The scanner sends a packet to a defined IP address using the default target port (<code>68/UDP</code>)and default interface. It listens to return traffic on port <code>53/UDP</code>.</p>
<figure>
<p><img alt="BPFDoor scanner tool" src="../media/image17.png" title="BPFDoor scanner tool" /></p>
<figcaption>BPFDoor scanner tool</figcaption>
</figure>
<h3 id="bpfdoor-configuration-extractor">BPFDoor Configuration Extractor<a class="headerlink" href="#bpfdoor-configuration-extractor" title="Permanent link">&para;</a></h3>
<p>This tool will allow you to extract configurations from any BPFDoor malware you may have collected. This will allow you to develop additional signatures and further analysis of the malware as well as your environment.</p>
<p>The BPFDoor configuration extractor can be downloaded <a href="../../../../../tools/bpfdoor-config-extractor/">here</a>.</p>
<figure>
<p><img alt="BPFDoor configuration extractor" src="../media/image16.png" title="BPFDoor configuration extractor" /></p>
<figcaption>BPFDoor configuration extractor</figcaption>
</figure>
<h3 id="bpfdoor-client-poc">BPFDoor Client POC<a class="headerlink" href="#bpfdoor-client-poc" title="Permanent link">&para;</a></h3>
<p>Quickly after beginning our research into this malware we realized we would also need to actively interact with BPFDoor in order to observe the full extent of the capabilities that it possesses and monitor what these capabilities would look like from a host and SIEM level.</p>
<p>In order to do this, we had to break down the BPF filters in the BPFDoor source code so we could craft packets for the different protocols. To do this, we used <a href="https://scapy.net/">Scapy</a>, a packet manipulation program, to ensure we could pass the filters for the purpose of activating the backdoor. Once we ensured we could pass the filters, Rhys Rustad-Elliott, an engineer at Elastic built a BPFDoor client that accepts a password, IP address, and port allowing you to connect to a BPFDoor sample and interact if you possess the sample&rsquo;s hardcoded passwords.</p>
<p>Depending on the password or lack of password provided, BPFDoor will behave exactly the same way it would in the wild. You can invoke a reverse shell, establish a bind shell, or connect to it with no supplied password to receive a ping-back confirming its installation.</p>
<figure>
<p><img alt="A preview of the BPFDoor Client developed by Elastic Security to assist in research" src="../media/image13.png" title="A preview of the BPFDoor Client developed by Elastic Security to assist in research" /></p>
<figcaption>A preview of the BPFDoor Client developed by Elastic Security to assist in research</figcaption>
</figure>
<p>Researchers looking to use BPFDoor can <a href="mailto:threat-notification@elastic.co">reach out to Elastic Security</a> for access to the BPFDoor client POC. Please note that these tools will be shared at our discretion with those in the trusted security community looking to improve the detection of this vulnerability.</p>
<h2 id="impact">Impact<a class="headerlink" href="#impact" title="Permanent link">&para;</a></h2>
<p>The following MITRE ATT&amp;CK Tactic, Techniques, and Sub-techniques have been observed with the BPFDoor malware.</p>
<h3 id="tactics">Tactics<a class="headerlink" href="#tactics" title="Permanent link">&para;</a></h3>
<p>Tactics represent the &ldquo;why&rdquo; of an ATT&amp;CK technique or sub-technique. It is the adversary&rsquo;s tactical goal: the reason for performing an action.</p>
<ul>
<li><a href="https://attack.mitre.org/tactics/TA0002/">Execution</a></li>
</ul>
<h3 id="techniques-sub-techniques">Techniques (sub-techniques)<a class="headerlink" href="#techniques-sub-techniques" title="Permanent link">&para;</a></h3>
<p>Techniques (and sub-techniques) represent &lsquo;how&rsquo; an adversary achieves a tactical goal by performing an action.</p>
<ul>
<li><a href="https://attack.mitre.org/techniques/T1106/">Native API</a></li>
<li><a href="https://attack.mitre.org/techniques/T1133/">External Remote Services</a></li>
<li><a href="https://attack.mitre.org/techniques/T1564/">Hide Artifacts</a></li>
<li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal on Host</a></li>
<li><a href="https://attack.mitre.org/techniques/T1095/">Non-Application Layer Protocol</a></li>
<li><a href="https://attack.mitre.org/techniques/T1059/004">Command and Scripting Interpreter: Unix Shell</a></li>
<li><a href="https://attack.mitre.org/techniques/T1548/001/">Abuse Elevation Control Mechanism: Setuid and Setgid</a></li>
</ul>
<h2 id="source-pseudocode">Source Pseudocode<a class="headerlink" href="#source-pseudocode" title="Permanent link">&para;</a></h2>
<p>To clearly articulate the details of this malware, we’ve created <a href="../media/bpfdoor_pseudocode.pdf">two diagrams</a> that outline the specific pseudocode for BPFDoor based on the source code uploaded to VT and found on Pastebin. While this contains a lot of detail, it is simple to understand if researchers choose to further this research.</p>
<h2 id="summary">Summary<a class="headerlink" href="#summary" title="Permanent link">&para;</a></h2>
<p>While threat groups continue to increase in maturity, we expect this kind of mature, well designed and hidden threat will continue to be found within Linux environments. These kinds of findings reiterate the importance of comprehensive security controls across the entirety of a fleet, rather than simply focusing on user endpoints.</p>
<p>BPFDoor demonstrates a perfect example of how important monitoring workloads within Linux environments can be. Payloads such as this are near-on impossible to observe and detect without sufficient controls, and should be considered a moving trend within the general adversarial landscape.</p>
<h2 id="observables">Observables<a class="headerlink" href="#observables" title="Permanent link">&para;</a></h2>
<table>
<thead>
<tr>
<th>Observable</th>
<th>Type</th>
<th>Reference</th>
<th>Note</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>/dev/shm/kdmtmpflush</code></td>
<td>process name</td>
<td>BPFDoor process name</td>
<td>Observed process name of BPFDoor</td>
</tr>
<tr>
<td><code>/var/run/haldrund.pid</code></td>
<td>file name</td>
<td>BPFDoor file name</td>
<td>Observed BPFDoor PID file</td>
</tr>
<tr>
<td><code>/var/run/kdevrund.pid</code></td>
<td>file name</td>
<td>BPFDoor file name</td>
<td>Observed BPFDoor PID file</td>
</tr>
<tr>
<td><code>/var/run/xinetd.lock</code></td>
<td>file name</td>
<td>BPFDoor file name</td>
<td>Observed BPFDoor lock file</td>
</tr>
<tr>
<td><code>74ef6cc38f5a1a80148752b63c117e6846984debd2af806c65887195a8eccc56</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
<tr>
<td><code>4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d</code></td>
<td>SHA-256</td>
<td>BPFDoor malware</td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="references">References<a class="headerlink" href="#references" title="Permanent link">&para;</a></h2>
<ul>
<li>https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896</li>
<li>https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf</li>
<li>https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group</li>
<li>https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group</li>
</ul>


  <hr>
<div class="md-source-file">
  <small>
    
      Last update:
      <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">May 19, 2022</span>
      
        <br>
        Created:
        <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">May 18, 2022</span>
      
    
  </small>
</div>

              
            </article>
            
          </div>
        </div>
        
      </main>
      
        <footer class="md-footer">
  
    <nav class="md-footer__inner md-grid" aria-label="Footer">
      
        
        <a href="../../../03/03.dirty-pipe/article/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Detecting and responding to Dirty Pipe with Elastic" rel="prev">
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
          </div>
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Previous
              </span>
              Detecting and responding to Dirty Pipe with Elastic
            </div>
          </div>
        </a>
      
      
        
        <a href="../../../../../malware/" class="md-footer__link md-footer__link--next" aria-label="Next: Elastic Malware Analysis" rel="next">
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Next
              </span>
              Elastic Malware Analysis
            </div>
          </div>
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
          </div>
        </a>
      
    </nav>
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-copyright">
  
    <div class="md-copyright__highlight">
      &copy; 2022. Elasticsearch B.V. All Rights Reserved
    </div>
  
  
</div>
      
    </div>
  </div>
</footer>
      
    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    
      <div class="md-consent" data-md-component="consent" id="__consent" hidden>
        <div class="md-consent__overlay"></div>
        <aside class="md-consent__inner">
          <form class="md-consent__form md-grid md-typeset" name="consent">
            


  

<h4>Cookie consent</h4>
<p>We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our reports and whether users find what they're searching for. With your consent, you're helping us to make our reporting better.</p>
<input type="checkbox" class="md-toggle" id="__settings">
<div class="md-consent__settings">
  <ul class="task-list">
    
      
        
        
      
      <li class="task-list-item">
        <label class="task-list-control">
          <input type="checkbox" name="analytics" checked>
          <span class="task-list-indicator"></span>
          Google Analytics
        <label>
      </li>
    
  </ul>
</div>
<div class="md-consent__controls">
  <label class="md-button" for="__settings">Manage settings</label>
  <button class="md-button md-button--primary">Accept</button>
</div>
          </form>
        </aside>
      </div>
      <script>var consent=__md_get("__consent");if(consent)for(var input of document.forms.consent.elements)input.name&&(input.checked=consent[input.name]||!1);else"file:"!==location.protocol&&setTimeout(function(){document.querySelector("[data-md-component=consent]").hidden=!1},250);var form=document.forms.consent;form.addEventListener("submit",function(n){n.preventDefault(),__md_set("__consent",Object.fromEntries(Array.from(new FormData(form).keys()).map(function(n){return[n,!0]}))),location.hash="",location.reload()})</script>
    
    <script id="__config" type="application/json">{"base": "../../../../..", "features": ["content.code.annotate", "navigation.tabs"], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../../../../../assets/javascripts/workers/search.5c9dbbf3.min.js"}</script>
    
    
      <script src="../../../../../assets/javascripts/bundle.8be037b4.min.js"></script>
      
    
  </body>
</html>